About API Discovery

Fastly's API Discovery product provides a continuously-updating record of incoming application programming interface (API) traffic proxied through Fastly's Edge network. It's essentially an automatic API monitoring and cataloging tool that passively watches and records API traffic flowing through Fastly's content delivery network (CDN) and Edge Compute services, creating a comprehensive inventory of your APIs without manual tracking.

API Discovery requires zero code changes because your traffic already flows through Fastly's network. The system simply observes and catalogs traffic without any additional integration work. It provides comprehensive API visibility by giving you a bird's-eye view of your entire API ecosystem, showing how APIs are being used, tracking changes over time, and identifying potential security vulnerabilities. The automatic discovery eliminates the need to maintain manual API documentation or inventories, building this information automatically from actual traffic patterns.

Before you begin

API Discovery is disabled by default. To purchase the product, contact sales@fastly.com. Once API Discovery is enabled on a service, account users with the appropriate permissions will be able to access the API Discovery details in the Fastly control panel as it begins aggregating traffic automatically. You can view, search, and download aggregated records through the control panel to start gaining insights into your API ecosystem immediately.

How it works

API Discovery operates by passively monitoring HTTP traffic as it flows through Fastly's Edge network, automatically cataloging API patterns without requiring any changes to your applications. The system captures basic request information while respecting privacy boundaries, but its effectiveness depends on several technical factors including network scope, API architecture types, traffic patterns, and data processing methods. Understanding these operational aspects and limitations helps you set appropriate expectations and maximize the value of the insights provided.

When API calls pass through Fastly's edge servers, the system automatically captures key details including the domains being called, URL paths being accessed, and HTTP methods used such as GET, POST, and PUT. The system focuses only on basic request structure and does not analyze URL query string parameters or HTTP request body contents, ensuring privacy while still providing valuable API landscape insights.

Scope and coverage

API Discovery only discovers traffic passing through Fastly's Edge network and does not capture traffic outside this network or traffic inspected by Fastly's on-prem WAF. The system focuses exclusively on API traffic and excludes non-API traffic such as CDN media assets. If no API traffic is passing through Fastly's Edge network, the product will show empty results in the interface.

The system is optimized for REST APIs. While all HTTP-based API traffic is observed, the product does not explicitly support architectural patterns other than REST. For GraphQL APIs, which typically use a single endpoint with operations defined in the request body, all GraphQL calls will be grouped together rather than broken down by individual queries or mutations.

Dynamic URL normalization

API Discovery intelligently handles APIs with dynamic variables in URL paths. For example:

GET api.example.com/api/v1/user/x9KzsrACXZv8tPwlEDsKb6/info

(where x9KzsrACXZv8tPwlEDsKb6 is a user ID) would be displayed as:

GET api.example.com/api/v1/user/*/info

in the API Discovery table displayed in the Fastly control panel. The system detects when URL path components have high cardinality (many different values) and automatically substitutes dynamic variables with placeholders (*) when cardinality exceeds a predetermined threshold. To prevent contradictory or duplicate entries, APIs with dynamic variables won't appear in the product until this threshold is met.

Data collection and timing

API Discovery observes sampled network traffic rather than every single API call, which means sporadic calls made in small quantities may not be captured due to the nature of sampling. The displayed timestamps associated with when an API call was last seen are estimates based on this sampling approach. The system uses background processing rather than real-time analysis, which enables longer observation periods for more accurate aggregation, including filtering out non-API traffic and performing URL normalization. There may be delays between when traffic passes through the network and when it becomes visible in the API list, but this processing approach improves data quality without adding any latency to your actual API requests.

API Discovery continuously monitors and accumulates recent API data for all customers in the background, regardless of whether the feature is enabled. This means when you activate the product, you may immediately see API entries with timestamps from before activation, providing historical visibility into your API traffic patterns.

Security products note

No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. As a subscriber, you should maintain appropriate security controls on all web applications and origins. The use of Fastly's security products does not relieve you of this obligation. As a subscriber, you should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, continuously monitor their performance, and adjust these services as appropriate to address changes in your web applications, origin services, and configurations of the other aspects of your Fastly services.